vulnerabilities · jun 29, 2026 · 19:56 utc
CVE-2026-48558: SimpleHelp Exploited to Drop Djinn Stealer
CVE-2026-48558 (CVSS 10.0) in SimpleHelp ≤5.5.15 is actively exploited to drop Djinn Stealer. ~1,000 servers exposed. Patch to v5.5.16 or v6.0 RC2 now.
by Emanuel De Almeida
TL;DR
- CVE-2026-48558 is a CVSS 10.0 authentication bypass in SimpleHelp versions 5.5.15 and earlier, and all 6.0 pre-release builds before RC2.
- Attackers are actively exploiting it to gain authenticated technician sessions and deploy Djinn Stealer - a previously undocumented cross-platform infostealer - alongside the TaskWeaver malware loader.
- Approximately 1,000 internet-exposed SimpleHelp servers are in a directly exploitable configuration using vulnerable OIDC authentication.
- SimpleHelp pushed patches (v5.5.16 and v6.0 RC2) on May 26, 2026 - before active exploitation was confirmed.
- SimpleHelp RMM has a documented history of exploitation; prior CVEs from 2024-2025 landed in CISA's Known Exploited Vulnerabilities catalog.
How Is CVE-2026-48558 Being Exploited?
CVE-2026-48558 is the flaw at the center of confirmed, active attacks against SimpleHelp RMM servers. A threat actor exploited it to establish a fully authenticated technician session - with no credentials - then dropped both the TaskWeaver loader and the newly identified Djinn Stealer on victim systems. MDR provider Blackpoint investigated the incident and confirmed the exploitation chain, as reported by BleepingComputer. This is active exploitation, not theoretical risk.
When we reviewed Horizon3.ai's published disclosure and the BleepingComputer incident write-up, the attack path was clear: forge an OIDC token, authenticate as a privileged technician, deploy payloads. No credential brute-forcing required.
What Is CVE-2026-48558?
CVE-2026-48558 carries a perfect CVSS score of 10.0. The root cause is a failure to verify cryptographic signatures on OIDC identity tokens. An attacker can forge a token and authenticate as any user - including a privileged technician - with no password required. Tenable confirms affected versions include 5.5.15 and earlier, plus all 6.0 builds before RC2.
The timeline is tight. Horizon3.ai discovered the flaw on May 21, 2026 using an autonomous AI vulnerability-hunting system, reported it the next day, and SimpleHelp shipped fixes by May 26. Public disclosure followed on June 12. Exploitation came shortly after.
CVE Comparison: SimpleHelp Vulnerabilities
CVE ID | CVSS | Affected Versions | Patch Version | KEV Listed | Exploit Type |
|---|---|---|---|---|---|
CVE-2026-48558 | 10.0 | 5.5.15 and earlier, 6.0 pre-RC2 | v5.5.16, v6.0 RC2 | Pending | Auth bypass via forged OIDC token |
CVE-2024-57727 | High | Pre-patch builds (Jan 2025) | Jan 2025 patch | Yes (Feb 13, 2025) | Path traversal |
CVE-2024-57726 | High | Pre-patch builds (Jan 2025) | Jan 2025 patch | Yes (Apr 2026) | Privilege escalation |
CVE-2024-57728 | High | Pre-patch builds (Jan 2025) | Jan 2025 patch | Yes (Apr 2026) | File write |
Who Is at Risk?
Exposure is significant. Horizon3.ai found roughly 14,000 SimpleHelp servers reachable from the public internet at the time of disclosure - up from about 3,400 exposed servers documented in January 2025. About 7.2% of sampled servers used the vulnerable OIDC authentication method, putting approximately 1,000 servers in a directly exploitable state.
Djinn Stealer adds another layer of concern. It targets Windows, macOS, and Linux simultaneously. According to the BleepingComputer report citing Blackpoint's investigation, this cross-platform reach is a notable characteristic for a newly discovered stealer - meaning a single successful intrusion can sweep credentials and sensitive data across heterogeneous environments. The Verizon 2025 Data Breach Investigations Report found that 54% of ransomware victims had organizational domains appear in infostealer credential dumps, which illustrates how stealer deployments feed downstream ransomware chains.
Is This Part of a Pattern?
Yes. SimpleHelp has become a repeating target. CISA added earlier SimpleHelp CVEs - CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, all disclosed by Horizon3.ai in January 2025 - to its Known Exploited Vulnerabilities catalog. CVE-2024-57727 was listed as early as February 13, 2025, with the other two added in April 2026.
Ransomware actors were among those exploiting SimpleHelp RMM access in that earlier wave. CISA issued a formal advisory (AA25-163A) on June 12, 2025, warning that this pattern of targeting unpatched SimpleHelp instances had been active since January 2025. The playbook is consistent: a new SimpleHelp flaw surfaces, a patch ships quickly, and exploitation follows disclosure within weeks.
This fits a broader shift in attacker behavior. Huntress researchers found a 277% year-over-year increase in RMM abuse, with threat actors abandoning traditional hacking tools in favor of RMM platforms to drop malware and steal credentials - while use of traditional hacking tools fell 53%. SimpleHelp is a named target in that trend. The pattern also mirrors what we cover in CVE-2026-20253: Critical Splunk RCE Actively Exploited, where a high-CVSS flaw in widely deployed infrastructure software moved from disclosure to exploitation in a matter of days.
What Should Admins Do Now?
Patches exist and have existed since May 26, 2026. CISA's Known Exploited Vulnerabilities catalog mandates that federal agencies patch KEV-listed vulnerabilities within defined remediation windows under BOD 22-01 - and given CVE-2026-48558's CVSS 10.0 score and confirmed active exploitation, non-federal organizations should apply the same urgency. Apply the fix before doing anything else.
Prioritize the actions below in order:
- Patch immediately. Upgrade to SimpleHelp v5.5.16 (stable) or v6.0 RC2 (pre-release) - the only versions containing the CVE-2026-48558 fix.
- Audit OIDC configuration. Check your SimpleHelp admin panel under
Authentication > OIDC Settings. If OIDC is enabled and you have not patched, disable it as an interim measure. - Pull your server off the public internet if possible. Place SimpleHelp behind a VPN or restrict access by IP using firewall rules until patching is complete. See our Microsoft Entra PIM configuration guide for an example of layering access controls on remote-access tooling.
- Hunt for indicators of compromise. Review SimpleHelp server logs for unexpected technician session creation events, especially any OIDC-authenticated session from an unrecognized source IP. Look for processes spawned by the SimpleHelp service account that you did not initiate.
- Check for TaskWeaver and Djinn Stealer artifacts. Search endpoints for unusual scheduled tasks, new services, or unfamiliar binaries dropped in
%TEMP%or equivalent directories on macOS and Linux. - Report confirmed compromises. If you find evidence of exploitation, notify CISA and follow your incident response plan. Blackpoint's investigation (report pending public release) indicates the attacker chain moves fast from initial access to data theft.
For teams managing remote-access infrastructure more broadly, the Cisco Unified CM SSRF Flaw CVE-2026-20230 advisory and the CVE-2026-12569 PTC Windchill RCE warning follow the same exploit-after-disclosure pattern - patch SLAs apply equally there.
If your environment runs Linux endpoints, the CVE-2026-31431 Linux privilege escalation flaw is another active risk worth stacking into the same patching sprint, since Djinn Stealer targets Linux alongside Windows and macOS.
Frequently Asked Questions
Is CVE-2026-48558 being exploited right now?
Yes. Blackpoint confirmed an incident where a threat actor exploited the flaw to authenticate as a privileged technician and deploy both TaskWeaver and Djinn Stealer. Active exploitation was confirmed after SimpleHelp released patches, so the window between patch availability and in-the-wild abuse was short.
Do I need OIDC enabled for my server to be vulnerable?
The most direct exploitation path targets servers with OIDC authentication enabled - roughly 7.2% of sampled public-facing servers, or about 1,000 servers. Servers not using OIDC face lower immediate risk, but patching to v5.5.16 or v6.0 RC2 is still strongly recommended regardless of your authentication configuration.
What does Djinn Stealer steal?
Djinn Stealer is a previously undocumented infostealer targeting Windows, macOS, and Linux. Based on the Blackpoint investigation, it is designed to harvest credentials and sensitive data across platforms. Full capability analysis is ongoing - treat any confirmed deployment as a potential full-credential compromise.
Were previous SimpleHelp vulnerabilities actually exploited?
Yes. CISA added three SimpleHelp CVEs from January 2025 to its Known Exploited Vulnerabilities catalog - the first as early as February 2025. Ransomware actors were among those exploiting RMM access. This history makes fast patching of any new SimpleHelp flaw a high-priority obligation.
source: www.bleepingcomputer.com
